NodeJS/tough-cookie/1.2.0

RFC6265 Cookies and Cookie Jar for node.js

https://www.npmjs.com/package/tough-cookie
BSD-3-Clause

4 Security Vulnerabilities

tough-cookie Prototype Pollution vulnerability

Published date: 2023-07-01T06:30:16Z
CVE: CVE-2023-26136
Links:

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Affected versions: ["4.1.2", "4.1.1", "4.1.0", "4.0.0", "3.0.1", "3.0.0", "2.5.0", "2.4.3", "2.4.2", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.0", "1.2.0", "1.1.0", "1.0.0", "0.13.0", "0.12.1", "0.12.0", "0.11.0", "0.10.0", "0.9.15", "0.9.14", "0.9.13", "0.9.12", "0.9.11", "0.9.9", "0.9.8", "0.9.7", "0.9.6", "0.9.5", "0.9.4", "0.9.3", "0.9.1", "0.9.0"]
Secure versions: [4.1.3, 4.1.4, 5.0.0, 5.0.0-rc.0, 5.0.0-rc.1, 5.0.0-rc.2, 5.0.0-rc.3, 5.0.0-rc.4, 5.1.0, 5.1.0-rc.0, 5.1.1, 5.1.2, 6.0.0, 6.0.0-rc.0, 6.0.0-rc.1, 6.0.0-rc.2, 6.0.1]
Recommendation: Update to version 6.0.1.

Regular Expression Denial of Service in tough-cookie

Published date: 2018-07-24T20:14:39Z
CVE: CVE-2017-15010
Links:

Affected versions of tough-cookie are susceptible to a regular expression denial of service.

The amplification on this vulnerability is relatively low - it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters in length.

If node was compiled using the -DHTTP_MAX_HEADER_SIZE however, the impact of the vulnerability can be significant, as the primary limitation for the vulnerability is the default max HTTP header length in node.

Recommendation

Update to version 2.3.3 or later.

Affected versions: ["2.3.2", "2.3.1", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.0", "1.2.0", "1.1.0", "1.0.0", "0.13.0", "0.12.1", "0.12.0", "0.11.0", "0.10.0", "0.9.15", "0.9.14", "0.9.13", "0.9.12", "0.9.11", "0.9.9", "0.9.8", "0.9.7", "0.9.6", "0.9.5", "0.9.4", "0.9.3", "0.9.1", "0.9.0"]
Secure versions: [4.1.3, 4.1.4, 5.0.0, 5.0.0-rc.0, 5.0.0-rc.1, 5.0.0-rc.2, 5.0.0-rc.3, 5.0.0-rc.4, 5.1.0, 5.1.0-rc.0, 5.1.1, 5.1.2, 6.0.0, 6.0.0-rc.0, 6.0.0-rc.1, 6.0.0-rc.2, 6.0.1]
Recommendation: Update to version 6.0.1.

ReDoS via long string of semicolons in tough-cookie

Published date: 2018-10-10T18:57:02Z
CVE: CVE-2016-1000232
Links:

Affected versions of tough-cookie may be vulnerable to regular expression denial of service when long strings of semicolons exist in the Set-Cookie header.

Recommendation

Update to version 2.3.0 or later.

Affected versions: ["2.2.2", "2.2.1", "2.2.0", "2.1.0", "2.0.0", "1.2.0", "1.1.0", "1.0.0", "0.13.0", "0.12.1", "0.12.0", "0.11.0", "0.10.0", "0.9.15", "0.9.14", "0.9.13", "0.9.12", "0.9.11", "0.9.9", "0.9.8", "0.9.7", "0.9.6", "0.9.5", "0.9.4", "0.9.3", "0.9.1", "0.9.0"]
Secure versions: [4.1.3, 4.1.4, 5.0.0, 5.0.0-rc.0, 5.0.0-rc.1, 5.0.0-rc.2, 5.0.0-rc.3, 5.0.0-rc.4, 5.1.0, 5.1.0-rc.0, 5.1.1, 5.1.2, 6.0.0, 6.0.0-rc.0, 6.0.0-rc.1, 6.0.0-rc.2, 6.0.1]
Recommendation: Update to version 6.0.1.

ReDoS via long string of semicolons

Published date: 2016-07-22
CVEs: ["CVE-2016-1000232"]
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Coordinating vendor: ^Lift Security

Tough-cookie is a cookie parsing and management library.

Versions 0.9.7 through 2.2.2 contain a vulnerable regular expression that, under certain conditions involving long strings of semicolons in the Set-Cookie header, causes the event loop to block for excessive amounts of time.

Affected versions: ["0.9.7", "0.9.8", "0.9.9", "0.9.11", "0.9.12", "0.9.13", "0.9.14", "0.9.15", "0.10.0", "0.11.0", "0.12.0", "0.12.1", "0.13.0", "1.0.0", "1.1.0", "1.2.0", "2.0.0", "2.1.0", "2.2.0", "2.2.1", "2.2.2", "NodeJS/tough-cookie/0.9.8", "NodeJS/tough-cookie/0.9.9", "NodeJS/tough-cookie/0.9.13", "NodeJS/tough-cookie/0.9.14", "NodeJS/tough-cookie/0.9.15", "NodeJS/tough-cookie/0.12.1", "NodeJS/tough-cookie/1.2.0", "NodeJS/tough-cookie/2.2.0", "NodeJS/tough-cookie/2.2.1", "NodeJS/tough-cookie/0.9.7", "NodeJS/tough-cookie/0.9.11", "NodeJS/tough-cookie/0.9.12", "NodeJS/tough-cookie/0.10.0", "NodeJS/tough-cookie/0.11.0", "NodeJS/tough-cookie/0.12.0", "NodeJS/tough-cookie/0.13.0", "NodeJS/tough-cookie/1.0.0", "NodeJS/tough-cookie/1.1.0", "NodeJS/tough-cookie/2.0.0", "NodeJS/tough-cookie/2.1.0", "NodeJS/tough-cookie/2.2.2"]
Secure versions: [4.1.3, 4.1.4, 5.0.0, 5.0.0-rc.0, 5.0.0-rc.1, 5.0.0-rc.2, 5.0.0-rc.3, 5.0.0-rc.4, 5.1.0, 5.1.0-rc.0, 5.1.1, 5.1.2, 6.0.0, 6.0.0-rc.0, 6.0.0-rc.1, 6.0.0-rc.2, 6.0.1]
Recommendation: Upgrade to at least version 2.3.0

58 Other Versions

Version License Security Released
0.9.8 BSD-3-Clause 4 2011-12-15 - 16:03 over 14 years
0.9.7 BSD-3-Clause 4 2011-12-01 - 23:14 over 14 years
0.9.6 BSD-3-Clause 3 2011-11-23 - 19:26 over 14 years
0.9.5 BSD-3-Clause 3 2011-11-23 - 16:09 over 14 years
0.9.4 BSD-3-Clause 3 2011-11-23 - 15:55 over 14 years
0.9.3 BSD-3-Clause 3 2011-11-07 - 22:32 over 14 years
0.9.1 BSD-3-Clause 3 2011-10-31 - 20:14 over 14 years
0.9.0 BSD-3-Clause 3 2011-10-21 - 19:06 over 14 years